# Username lists ## Generic Wordlist ``` ls /usr/share/seclists/Usernames cirt-default-usernames.txt README.md CommonAdminBase64.txt sap-default-usernames.txt Honeypot-Captures top-usernames-shortlist.txt mssql-usernames-nansh0u-guardicore.txt xato-net-10-million-usernames-dup.txt Names xato-net-10-million-usernames.txt ``` ``` locate names.txt /opt/useful/SecLists/Usernames/Names/names.txt ``` {% embed url="" %} {% embed url="" %} ## Unix ``` ls /opt/tools/metasploit-framework/data/wordlists/ | grep unix unix_passwords.txt unix_users.txt ``` ## Windows {% embed url="" %} jsmith.txt and a lot of usefull usernamelist like service-accounts.txt test-accounts or top-formats.txt {% endembed %} ``` /opt/tools/metasploit-framework/data/wordlists/namelist.txt ``` ### AD User Naming Convention ``` joe.smith jmith joesmi ``` {% embed url="" %} | Username Convention | Practical Example for Jane Jill Doe | | ----------------------------------- | ----------------------------------- | | `firstinitiallastname` | jdoe | | `firstinitialmiddleinitiallastname` | jjdoe | | `firstnamelastname` | janedoe | | `firstname.lastname` | jane.doe | | `lastname.firstname` | doe.jane | | `nickname` | doedoehacksstuff | Often, an email address's structure will give us the employee's username (structure: username\@domain). For example, from the email address `jdoe`@`inlanefreight.com`, we see that `jdoe` is the username. {% hint style="info" %} `A tip from MrB3n: We can often find the email structure by Googling the domain name, i.e., “@inlanefreight.com” and get some valid emails. From there, we can use a script to scrape various social media sites and mashup potential valid usernames. Some organizations try to obfuscate their usernames to prevent spraying, so they may alias their username like a907 (or something similar) back to joe.smith. That way, email messages can get through, but the actual internal username isn’t disclosed, making password spraying harder. Sometimes you can use google dorks to search for “inlanefreight.com filetype:pdf” and find some valid usernames in the PDF properties if they were generated using a graphics editor. From there, you may be able to discern the username structure and potentially write a small script to create many possible combinations and then spray to see if any come back valid.` {% endhint %} ## Custom wordlist ``` $ ./username-anarchy -i /home/ltnbob/names.txt ``` ``` username-anarchy John Marston john johnmarston john.marston johnmars johnm j.marston jmarston mjohn m.john marstonj marston marston.j marston.john jm ``` ```bash ./username-anarchy Bill Gates > bill.txt ``` Also with only one user, we can extract the list of all users - See [Netexec - CME](/0xss0rz/pentest/tools/netexec-cme.md) and [SMB (445, 139)](/0xss0rz/pentest/protocols/smb-445-139-rpc.md) {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/brute-force/username-lists.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.